Recently, 'experts' released a list of the top 25 most dangerous programming errors. I suspected the list would consist of numerous esoteric gaffes that applied only to hardened C++ or Assembly veterans, and was pleasantly surprised to find that most involved the practical mistakes of typical day-to-day applications.
I am consistently shocked by the amount of poorly written code I stumble upon. Since Actualize Studio does work with a number of clients, I suppose I am subjected to a lot of different codebases, but still - it's quite unnerving. I would have to say when it comes to web programming, the 2 most common security flaws I encounter from this list are "Improper (or just poor or non-existant) Input Validation" and "Failure to Preserve SQL Query Structure (aka 'SQL Injection')".
Most custom web applications have a lot of forms. I used to kid around with friends that this was all I did - make forms. Over time, I disciplined myself to include as much data validation as was possible whenever possible, because ultimately it would save me time to just 'do it right the first time'. Getting calls at all hours of the morning because of unexpected crashes inflicted this habit upon me.
I also quickly learned the power and beauty of stored procedures. In .Net, for example, utilizing a command object and setting parameters not only ensures proper data typing (about which I could write another post), but eliminates the possibility of SQL Injection attacks. It's also just better programming. Do enough web work and over time, it will become second nature. Today, I can't even imagine not adhering to these principles.
I could go on about all of the items on the list, but the point I am trying to make is that a responsible developer should not only be in command of their code, but should intimately understand each and everyone of these programming errors and the direct reprocussions of not learning how to avoid them - for themselves AND their client. Far too often than not, companies looking for development work are completely unaware that by focusing on getting a good deal, they may be instead paying for future problems by hiring a firm that employs irresponsible (and insecure) developers. Good luck calculating those costs.
And although there are numerous factors to consider when choosing a person or business to provide development assistance, do not underestimate the long term benefits of having your work performed correctly THE FIRST TIME.
